On Writing, Funding, and Distributing Software to Activists Against Authoritarian Regimes

Writing software to protect political activists against censorship and surveillance is a tricky business. If those activists are living under the kind of authoritarian regimes where a loss of privacy may lead to the loss of life or liberty, we need to tread especially cautiously.

A greatdealofpost-mortemanalysis is occurring at the moment after the collapse of the Haystack project. Haystack was a censorship-circumvention project that began as a real-time response to Iranian election protests last year. The code received significant levels of media coverage, but never reached the levels of technical maturity and security that are necessary to protect the lives of activists in countries like Iran (or many other places, for that matter).

This post isn't going to get into the debate about the social processes that gave Haystack the kind of attention and deployment that it received, before it had been properly reviewed and tested. Instead, we want to emphasize something else: it remains possible to write software that makes activists living under authoritarian regimes safer. But the developers, funders, and distributors of that software need to remember that it isn't easy, and need to go about it the right way.

Here are a few essential points:

Secure communications tools need a clearly defined model of the privacy threats they defend against, and the way the design addresses those threats needs to be clearly and rigorously specified.

Careful thought needs to be put into user interface design, so that the end users of the system (who may not speak English, nor be sophisticated computer users) have some hope of understanding what threats the software is and isn't defending against. This is hard to do right, but it's very important: in some cases, if a dissident is a major target for a sophisticated government, they probably shouldn't be using networked computers at all.

Writing secure software is much harder than just writing software; it requires a different mindset and a whole extra set of skills and experience. Unless a project includes experienced, competent security engineers, it is almost certain to include bugs that threaten users' privacy (actually, all complex codebases include security bugs, but good security teams will be able to make them rarer and do a better job of mitigating the damage).

Tools need to be thoroughly tested by the computer security community before they are distributed to activists whose lives and liberty are at stake. Fortunately, plenty of well-tested tools are available to provide privacy and circumvention of censorship, including Tor, ssh, VPNs, or Gmail over HTTPS. All of these tools have their own limitations, and need to be used for the correct purposes, but they are the best choices for activists in at least some situations.

Until you're familiar with the extensive research literature on privacy-preserving communications systems, it's probably best to get involved with (or fund) one of the many existing projects that are trying to defeat Internet censorship, before starting your own. The Tor Project is the largest and most organized of these, and is a good place for developers and funders to find work that needs to be done. There are numerous academic groups doing high-quality research, and some of them also build invaluable privacy tools. There are also some small projects that still need a lot of extra work and security auditing, but which may one day provide extremely important tools for dissidents; the "T(A)ILS" project is one good example.

Related Updates

Today Google launched a new version of its Chrome browser with what they call an "ad filter"—which means that it sometimes blocks ads but is not an "ad blocker." EFF welcomes the elimination of the worst ad formats. But Google's approach here is a band-aid response to the crisis of...

The U.S. Department of Homeland Security (DHS), Customs and Border Protection (CBP) Privacy Office, and Office of Field Operations recently invited privacy stakeholders—including EFF and the ACLU of Northern California—to participate in a briefing and update on how the CBP is implementing its Biometric Entry/Exit Program. As we’ve written ...

San Francisco, California—Face recognition—fast becoming law enforcement’s surveillance tool of choice—is being implemented with little oversight or privacy protections, leading to faulty systems that will disproportionately impact people of color and may implicate innocent people for crimes they didn’t commit, says an Electronic Frontier Foundation (EFF) ...

It should not be surprising that arguably the biggest mistake in Internet policy history is going to invoke a vast political response. Since the FCC repealed federal Open Internet Order in December, many states have attempted to fill the void. With a new bill that reinstates net neutrality protections, Oregon...

Last month, Congress reauthorized Section 702, the controversial law the NSA uses to conduct some of its most invasive electronic surveillance. With Section 702 set to expire, Congress had a golden opportunity to fix the worst flaws in the NSA’s surveillance programs and protect Americans’ Fourth Amendment rights...

President Donald Trump’s first State of the Union address last night was remarkable for two reasons: for what he said, and for what he didn’t say. The president took enormous pride last night in claiming to have helped “extinguish ISIS from the face of the Earth.” But he failed to...

State agencies in California are collecting and using more data now than they ever, and much of this data includes very personal information about California residents. This presents a challenge for agencies and the courts—how to make government-held data that’s indisputably of...

It’s Spain's turn to take a closer look at the practices of their local Internet companies, and how they treat their customers’ personal data. Spain's ¿Quien Defiende Tus Datos? (Who Defends Your Data?) is a project of ETICAS Foundation, and is part of a region-wide initiative by leading...

It’s Spain's turn to take a closer look at the practices of their local Internet companies, and how they treat their customers’ personal data. Spain's ¿Quien Defiende Tus Datos? (Who Defends Your Data?) is a project of ETICAS Foundation, and is part of a region-wide initiative by leading...